PostgreSQL buffer overflow, NGINX rewrite bypass, and a ksmbd file handle hijack

The refint (referential integrity) contrib module in PostgreSQL has a stack buffer overflow and a SQL injection path. An attacker who can trigger refint functions (for example, through crafted foreign key operations) could execute arbitrary SQL or potentially crash the server. Exploitation requires the attacker to have at least the ability to insert or update data in tables using refint triggers.

Included because

high CVSS 8.8; SQL injection and buffer overflow; common product; database tier

Affected estate

PostgreSQL 16.12-1 on Azure Linux 3.0.

How to check

Run `psql --version` or `rpm -q postgresql` to confirm the installed version. Check if any databases use `CREATE EXTENSION refint` or reference refint trigger functions.

Action

Patch PostgreSQL via `tdnf update postgresql` and restart the service.

Urgency

Patch within 24 hours

Why it matters

A stack overflow and SQL injection in a database engine can lead to full data compromise or server crashes.

Source

Azure Linux Security Advisory

A vulnerability in NGINX's rewrite module (ngx_http_rewrite_module) could let an attacker send crafted requests that break rewrite rule processing. Depending on the configuration, this could lead to unexpected behavior, bypassing access controls, or crashing the worker process. Since the rewrite module is enabled by default in most NGINX configs, exposure is broad.

Included because

high CVSS 8.1; internet-facing; common product; rewrite module enabled by default

Affected estate

NGINX 1.28.3-1 on Azure Linux 3.0.

How to check

Run `nginx -v` or `rpm -q nginx` to confirm the installed version.

Action

Update via `tdnf update nginx` and run `nginx -s reload`.

Urgency

Patch within 24 hours

Why it matters

NGINX is typically internet-facing, and the rewrite module is almost universally enabled, making this a wide exposure surface.

Source

Azure Linux Security Advisory

The in-kernel SMB server (ksmbd) doesn't properly validate ownership of durable file handles when a client reconnects. An attacker on the network could hijack another user's file handle after reconnection, gaining access to files they shouldn't be able to touch. This only affects you if ksmbd is enabled; most environments use Samba in user space instead.

Included because

high CVSS 8.8; network-accessible; authentication bypass on file handles

Affected estate

Azure Linux 3.0 systems running kernel 6.6.137.1-2, 6.6.138.1-1, or 6.6.139.1-1 with the ksmbd module loaded.

How to check

Run `uname -r` to check the kernel version. Run `lsmod | grep ksmbd` to see if the module is loaded.

Action

Update the kernel via `tdnf update kernel` and reboot. If ksmbd isn't needed, unload it immediately with `modprobe -r ksmbd`.

Urgency

Patch within 24 hours

Why it matters

An attacker on the network can hijack another user's file handles, potentially reading or modifying sensitive files.

Source

Azure Linux Security Advisory

GnuTLS has a bug in how it reorders DTLS packets. When two packets arrive with the same sequence number, the sorting logic produces undefined behavior that can crash the process. A remote attacker can trigger this by sending duplicate-sequence DTLS packets, causing a denial of service. This only affects services using DTLS (UDP-based TLS), not standard TLS over TCP.

Included because

unauthenticated; remote denial of service; CVSS 7.5; limited to DTLS use cases

Affected estate

Any system with GnuTLS installed where DTLS is in use.

How to check

Run `gnutls-cli --version` or check the package version with your package manager (e.g., `rpm -q gnutls` or `dpkg -l libgnutls*`).

Action

Update gnutls via your package manager and restart services that depend on it.

Urgency

Patch this week

Why it matters

A remote attacker can crash any DTLS-reliant service with crafted packets, no authentication required.

Source

NVD